Feature request: PIA Port Forwarding Wireguard Custom Config

[xtinct101]

What's the feature 🧐

Hello,

Firstly, thanks for your continued work on Gluetun. I use PIA and switched to a custom wireguard config from openvpn. Everything works great except that when I try to use the "VPN_PORT_FORWARDING=on" with custom provider I get an error stating that it can only be used with PIA service provider. I'd like to have the PIA port fowarding when using wireguard but I've searched the wiki and issues section but could find a solution for this. Any help would be appreciated.

Extra information and references

No response

[github-actions[bot]]

@qdm12 is more or less the only maintainer of this project and works on it in his free time. Please:

• do not ask for updates, be patient
• :+1: the issue to show your support instead of commenting @qdm12 usually checks issues at least once a week, if this is a new urgent bug, revert to an older tagged container image

[qdm12]

Have you also set VPN_PORT_FORWARDING_PROVIDER="private internet access"?

[xtinct101]

Thanks for the reply. I did not but have now added it and am getting this error:

gluetun  | 2024-06-16T22:26:19.715980602Z 2024-06-16T22:26:19Z INFO [port forwarding] starting
gluetun  | 2024-06-16T22:26:19.718359294Z panic: server name cannot be empty
gluetun  | 2024-06-16T22:26:19.718406926Z 
gluetun  | 2024-06-16T22:26:19.718420956Z goroutine 117 [running]:
gluetun  | 2024-06-16T22:26:19.718442649Z github.com/qdm12/gluetun/internal/provider/privateinternetaccess.(*Provider).PortForward(0x7f8100041380?, {0x1230458?, 0xc0000a4960?}, {{0x7f81280d58c8, 0xc000207900}, {{0x0, 0xffff0a0b8001}, 0xc000010018}, 0xc001988300, {0x0, ...}, ...})
gluetun  | 2024-06-16T22:26:19.718456186Z       github.com/qdm12/gluetun/internal/provider/privateinternetaccess/portforward.go:32 +0x6aa
gluetun  | 2024-06-16T22:26:19.718466679Z github.com/qdm12/gluetun/internal/portforward/service.(*Service).Start(0xc0001c2750, {0x1230458, 0xc0000a4960})
gluetun  | 2024-06-16T22:26:19.718474832Z       github.com/qdm12/gluetun/internal/portforward/service/start.go:32 +0x3b3
gluetun  | 2024-06-16T22:26:19.718486083Z github.com/qdm12/gluetun/internal/portforward.(*Loop).run(0xc00020d700, {0x1230458, 0xc0000a4960}, 0xc0001fc9c0?, 0xc0001fcae0, 0xc0001fca20, 0xc0001fca80)
gluetun  | 2024-06-16T22:26:19.718495178Z       github.com/qdm12/gluetun/internal/portforward/loop.go:119 +0x8f5
gluetun  | 2024-06-16T22:26:19.718506682Z created by github.com/qdm12/gluetun/internal/portforward.(*Loop).Start in goroutine 34
gluetun  | 2024-06-16T22:26:19.718514818Z       github.com/qdm12/gluetun/internal/portforward/loop.go:71 +0x20a

[xtinct101]

Will add the SERVER_NAMES= and try again

[xtinct101]

Ok, I've added SERVER_NAMES= I then ran docker run --rm -v ./appdata/gluetun:/gluetun qmcgaw/gluetun format-servers -private-internet-access to get a list of servers. Selected this server | CA Vancouver | `ca-vancouver.privacy.network` | vancouver419 | ✅ | ✅ | ✅ | Used vancouver419 as the name but still getting this error: ERROR VPN settings: provider settings: server selection: for VPN service provider custom: the server name specified is not valid: one or more values is set but there is no possible value available I also tried using ca-vancouver.privacy.network as the server name but same error. Here is my config:

      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - VPN_ENDPOINT_IP=xxxx
      - VPN_ENDPOINT_PORT=1337
      - WIREGUARD_PUBLIC_KEY=xxxx
      - WIREGUARD_PRIVATE_KEY=xxxx
      - SERVER_NAMES=vancouver419
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER="private internet access"
      - WIREGUARD_ADDRESSES=xxxx

Am I still missing something?

[xtinct101]

could it be an issue that in the server.json file all the pia servers are listed as openvpn?

        "vpn": "openvpn",
        "region": "CA Vancouver",
        "server_name": "vancouver419",
        "hostname": "ca-vancouver.privacy.network",
        "tcp": true,
        "udp": true,
        "port_forward": true

[qdm12]

Actually PIA port forwarding using the custom provider/wireguard has been an uphill battle for a month 😄 Sorry I forgot when initially replying to your issue.

The tip of the conversation is really at https://github.com/qdm12/gluetun/issues/2048#issuecomment-2173676547 where we use SERVER_HOSTNAMES with the image qmcgaw/gluetun:pr-2254 (from #2254). I would really appreciate if you can help in the conversation on #2048 to try fixes I push on that branch 😉

Other related issue is #2147 but this would be unblocked + changed with #2048 so let's focus on #2048

Closing this to avoid duplicate issues, thanks!

[github-actions[bot]]

Closed issues are NOT monitored, so commenting here is likely to be not seen. If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project which became too popular to monitor issues closed.

[qdm12]

Re-opening this since this is different than #2048 although very similar to #2147

[qdm12]

I pushed 93ed87d12bf977f74b55c5e466ef92f56de5793f which should allow you to set SERVER_NAMES=someservername. It's a bit ugly since it's not really for filtering a server out of a pool of servers, and really just for PIA's port forwarding but... I'm being lazy 😄 Let me know if it helps! 👍

[xtinct101]

is there a specific branch I need to use for this?

[qdm12]

Nope just the latest image, since this is really just a tiny fix and not a change/anything drastic 😉 You can docker pull qmcgaw/gluetun.

[xtinct101]

tried latest, doesnt hang on the same error but I now get this:

gluetun  | 2024-06-17T22:48:01.409292051Z 2024-06-17T22:48:01Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context canceled
gluetun  | 2024-06-17T22:48:01.409355734Z 2024-06-17T22:48:01Z ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/commits": context canceled
gluetun  | 2024-06-17T22:48:01.409363950Z 2024-06-17T22:48:01Z INFO [port forwarding] starting
gluetun  | 2024-06-17T22:48:01.480912053Z 2024-06-17T22:48:01Z INFO [port forwarding] Found saved forwarded port data for port 25984
gluetun  | 2024-06-17T22:48:01.480973327Z 2024-06-17T22:48:01Z INFO [port forwarding] Port forwarded data expires in 62 days
gluetun  | 2024-06-17T22:48:01.509695250Z 2024-06-17T22:48:01Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": dial tcp: lookup www.internic.net on 1.1.1.1:53: read udp 10.11.128.3:56432->1.1.1.1:53: i/o timeout
gluetun  | 2024-06-17T22:48:01.509752942Z 2024-06-17T22:48:01Z INFO [dns] attempting restart in 10s

[qdm12]

Oh that's just the VPN server not working for whatever reason. Try another server/double check your Wireguard credentials?

[xtinct101]

yeah i guess the config changes and it screws up gluetun connection. I updated config with latest server info and this is what I see in the logs

gluetun  | 2024-06-18T03:09:27.172317869Z 2024-06-18T03:09:27Z INFO [vpn] You are running on the bleeding edge of latest!
gluetun  | 2024-06-18T03:09:27.172379146Z 2024-06-18T03:09:27Z INFO [port forwarding] starting
gluetun  | 2024-06-18T03:09:27.173012454Z 2024-06-18T03:09:27Z INFO [port forwarding] Found saved forwarded port data for port 25984
gluetun  | 2024-06-18T03:09:27.173075370Z 2024-06-18T03:09:27Z INFO [port forwarding] Port forwarded data expires in 62 days
gluetun  | 2024-06-18T03:09:57.174333135Z 2024-06-18T03:09:57Z ERROR [vpn] port forwarding for the first time: binding port: Get "https://10.4.249.1:19999/bindPort?payload=<payload>&signature=<signature>": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

[xtinct101]

Just as reference, I've been using https://github.com/thrnz/docker-wireguard-pia for my PIA wireguard + portforwarding and it seems to connect successfully. Not sure how he/she is doing it but thought I'd just mention it in case its of any help.

[qdm12]

Perhaps try another VPN server? Would 10.4.249.1 conflict with your docker network or lan perhaps? For example 10.0.0.0/8 would conflict. If not, can you share what you get when running docker exec gluetun /bin/sh -c "ip route show all", I'm curious to see, maybe my code detects wrongly the VPN server gateway IP address.

I checked thrnz/docker-wireguard-pia and it does use the same (https://github.com/thrnz/docker-wireguard-pia/blob/30fb739fd38f06086eed332fdacab88064a73701/extra/pf.sh#L123 and https://github.com/thrnz/docker-wireguard-pia/blob/30fb739fd38f06086eed332fdacab88064a73701/extra/pf.sh#L226) as in the current Gluetun code.

EDIT: also, port forwarding was working fine with OpenVPN correct?

[xtinct101]

Yes, using OpenVPN with the montreal location works. The other, vancouver/toronto, do not. 

I tried other servers using the wireguard but its the same issue. This is what I get when running that command

default via 192.168.90.1 dev eth0 
192.168.90.0/24 dev eth0 proto kernel scope link src 192.168.90.20

[xtinct101]

Hi again, 10.4.249.1 is not conflicting with my docker network or lan.

I've also tried a few servers and I still get this error gluetun | 2024-06-21T21:47:10.367471392Z 2024-06-21T21:47:10Z ERROR [vpn] port forwarding for the first time: binding port: Get "https://10.20.191.1:19999/bindPort?payload=<payload>&signature=<signature>": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

I've tried with disabling the firewall, adding outbound_subnets but always the same error.

├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: custom
|   |   ├── Server selection settings:
|   |   |   ├── VPN type: wireguard
|   |   |   ├── Target IP address: 181.41.202.239
|   |   |   ├── Server names: vancouver435
|   |   |   └── Wireguard selection settings:
|   |   |       ├── Endpoint IP address: 181.41.202.239
|   |   |       ├── Endpoint port: 1337
|   |   |       └── Server public key: xxxx
|   |   └── Automatic port forwarding settings:
|   |       ├── Redirection listening port: disabled
|   |       ├── Use code for provider: private internet access
|   |       └── Forwarded port file path: /gluetun/port.txt
|   └── Wireguard settings:
|       ├── Private key: xxxx
|       ├── Interface addresses:
|       |   └── 10.20.191.190/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1400
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   ├── Debug mode: on
|   └── Outbound subnets:
|       └── 192.168.90.0/24
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
└── Version settings:
    └── Enabled: yes

[qdm12]

Sorry for the delay getting back!

My apologies the command isn't docker exec gluetun /bin/sh -c "ip route show all" but it is:

docker exec gluetun /bin/sh -c "ip route show table all"

In my case I have a line

local 10.66.79.36 dev tun0 table local proto kernel scope host src 10.66.79.36

and the gateway should be 10.66.79.36. I'm wondering if the gateway detected in Gluetun (in your case 10.20.191.1) matches the gateway found in the routes.

[xtinct101]

Here's the result.

default dev tun0 table 51820 
192.168.90.0/24 via 192.168.90.1 dev eth0 table 199 
default via 192.168.90.1 dev eth0 table 200 
default via 192.168.90.1 dev eth0 
192.168.90.0/24 dev eth0 proto kernel scope link src 192.168.90.14 
local 10.23.219.221 dev tun0 table local proto kernel scope host src 10.23.219.221 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 192.168.90.14 dev eth0 table local proto kernel scope host src 192.168.90.14 
broadcast 192.168.90.255 dev eth0 table local proto kernel scope link src 192.168.90.14

In the logs I have 2 errors.

gluetun  | 2024-06-29T17:45:46.902222698Z 2024-06-29T17:45:46Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": dial tcp: lookup ipinfo.io on 127.0.0.1:53: read udp 127.0.0.1:44865->127.0.0.1:53: i/o timeout
gluetun  | 2024-06-29T17:45:46.902245035Z 2024-06-29T17:45:46Z INFO [port forwarding] starting
gluetun  | 2024-06-29T17:45:46.902511947Z 2024-06-29T17:45:46Z INFO [port forwarding] Found saved forwarded port data for port 25984
gluetun  | 2024-06-29T17:45:46.902514103Z 2024-06-29T17:45:46Z INFO [port forwarding] Port forwarded data expires in 50 days
gluetun  | 2024-06-29T17:46:16.906623985Z 2024-06-29T17:46:16Z ERROR [vpn] port forwarding for the first time: binding port: Get "https://10.23.219.1:19999/bindPort?payload=<payload>&signature=<signature>": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

[qdm12]

Oh the first error

[vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": dial tcp: lookup ipinfo.io on 127.0.0.1:53: read udp 127.0.0.1:44865->127.0.0.1:53: i/o timeout

Highlights the VPN connection is not working at all. That also explains the context deadline exceeded (Client.Timeout exceeded while awaiting headers) error after. Do you get this i/o timeout error every time? If so, please check your credentials / update your servers / try other servers.

[xtinct101]

So i decided to completely wipe my config and start fresh. I dont get the error above but this new error started showing up. I'm running wireguard but it seems to want OpenVPN auth file?

gluetun  | 2024-07-09T14:02:18.464657561Z 2024-07-09T14:02:18Z INFO [port forwarding] starting
gluetun  | 2024-07-09T14:02:18.465275699Z 2024-07-09T14:02:18Z ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching token: getting username and password: reading OpenVPN authentication file: open /etc/openvpn/auth.conf: no such file or directory

[qdm12]

Whoops, fixed in 05017438145d4ed458eeaa185f981662147c05cb by adding variables VPN_PORT_FORWARDING_USERNAME and VPN_PORT_FORWARDING_PASSWORD (retro-compatible with OPENVPN_USER and OPENVPN_PASSWORD as well). Can you try pulling the latest image and set these 2 variables to see how it goes? Thanks!

[xtinct101]

grabbed the latest and added variables. I now get this error gluetun | 2024-07-09T16:05:51.855626219Z 2024-07-09T16:05:51Z ERROR VPN settings: provider settings: port forwarding: port forwarding username is empty

Here are my env variables:

      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - VPN_PORT_FORWARDING_USERNAME=pxxxx
      - VPN_PORT_FORWARDING_PASSWORD=Cxxxx
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER="private internet access"
      - VPN_PORT_FORWARDING_STATUS_FILE=/gluetun/port.txt
      - SERVER_NAMES=panama408
      - FIREWALL_OUTBOUND_SUBNETS=192.168.90.0/24

[xtinct101]

using OPENVPN_USER and OPENVPN_PASSWORD seems to fix that error but I am still getting this issue:

gluetun | 2024-07-09T16:08:52.764591015Z 2024-07-09T16:08:52Z ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: obtaining signature payload: Get "https://10.8.220.1:19999/getSignature?token=<token>": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

No other errors are in the logs.

gluetun  | 2024-07-09T16:08:18.459308003Z 2024-07-09T16:08:18Z INFO [routing] default route found: interface eth0, gateway 192.168.90.1, assigned IP 192.168.90.14 and family v4
gluetun  | 2024-07-09T16:08:18.459315956Z 2024-07-09T16:08:18Z DEBUG [routing] ip rule add from 192.168.90.14/32 lookup 200 pref 100
gluetun  | 2024-07-09T16:08:18.459339757Z 2024-07-09T16:08:18Z INFO [routing] adding route for 0.0.0.0/0
gluetun  | 2024-07-09T16:08:18.459341743Z 2024-07-09T16:08:18Z DEBUG [routing] ip route replace 0.0.0.0/0 via 192.168.90.1 dev eth0 table 200
gluetun  | 2024-07-09T16:08:18.459374423Z 2024-07-09T16:08:18Z INFO [firewall] setting allowed subnets...
gluetun  | 2024-07-09T16:08:18.459376119Z 2024-07-09T16:08:18Z DEBUG [firewall] iptables-legacy --append OUTPUT -o eth0 -s 192.168.90.14 -d 192.168.90.0/24 -j ACCEPT
gluetun  | 2024-07-09T16:08:18.459956950Z 2024-07-09T16:08:18Z INFO [routing] default route found: interface eth0, gateway 192.168.90.1, assigned IP 192.168.90.14 and family v4
gluetun  | 2024-07-09T16:08:18.459958794Z 2024-07-09T16:08:18Z INFO [routing] adding route for 192.168.90.0/24
gluetun  | 2024-07-09T16:08:18.459960006Z 2024-07-09T16:08:18Z DEBUG [routing] ip route replace 192.168.90.0/24 via 192.168.90.1 dev eth0 table 199
gluetun  | 2024-07-09T16:08:18.459983297Z 2024-07-09T16:08:18Z DEBUG [routing] ip rule add to 192.168.90.0/24 lookup 199 pref 99
gluetun  | 2024-07-09T16:08:18.460000057Z 2024-07-09T16:08:18Z DEBUG [routing] ip rule add to 192.168.90.0/24 lookup 254 pref 98
gluetun  | 2024-07-09T16:08:18.460169125Z 2024-07-09T16:08:18Z INFO [dns] using plaintext DNS at address 1.1.1.1
gluetun  | 2024-07-09T16:08:18.460199853Z 2024-07-09T16:08:18Z INFO [http server] http server listening on [::]:8000
gluetun  | 2024-07-09T16:08:18.460232723Z 2024-07-09T16:08:18Z INFO [firewall] allowing VPN connection...
gluetun  | 2024-07-09T16:08:18.460234240Z 2024-07-09T16:08:18Z DEBUG [firewall] iptables-legacy --append OUTPUT -d 91.90.126.88 -o eth0 -p udp -m udp --dport 1337 -j ACCEPT
gluetun  | 2024-07-09T16:08:18.460260807Z 2024-07-09T16:08:18Z INFO [healthcheck] listening on 127.0.0.1:9999
gluetun  | 2024-07-09T16:08:18.460750828Z 2024-07-09T16:08:18Z DEBUG [firewall] iptables-legacy --append OUTPUT -o tun0 -j ACCEPT
gluetun  | 2024-07-09T16:08:18.461157822Z 2024-07-09T16:08:18Z DEBUG [firewall] ip6tables-legacy --append OUTPUT -o tun0 -j ACCEPT
gluetun  | 2024-07-09T16:08:18.461833053Z 2024-07-09T16:08:18Z INFO [wireguard] Using available kernelspace implementation
gluetun  | 2024-07-09T16:08:18.462251471Z 2024-07-09T16:08:18Z INFO [wireguard] Connecting to 91.90.126.88:1337
gluetun  | 2024-07-09T16:08:18.462517433Z 2024-07-09T16:08:18Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
gluetun  | 2024-07-09T16:08:18.501475793Z 2024-07-09T16:08:18Z INFO [healthcheck] healthy!
gluetun  | 2024-07-09T16:08:18.563060589Z 2024-07-09T16:08:18Z INFO [dns] downloading DNS over TLS cryptographic files
gluetun  | 2024-07-09T16:08:18.903937130Z 2024-07-09T16:08:18Z INFO [dns] downloading hostnames and IP block lists
gluetun  | 2024-07-09T16:08:21.335495149Z 2024-07-09T16:08:21Z INFO [dns] init module 0: validator
gluetun  | 2024-07-09T16:08:21.335515269Z 2024-07-09T16:08:21Z INFO [dns] init module 1: iterator
gluetun  | 2024-07-09T16:08:21.358055885Z 2024-07-09T16:08:21Z INFO [dns] start of service (unbound 1.20.0).
gluetun  | 2024-07-09T16:08:21.453470698Z 2024-07-09T16:08:21Z INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
gluetun  | 2024-07-09T16:08:21.512520032Z 2024-07-09T16:08:21Z INFO [dns] ready
gluetun  | 2024-07-09T16:08:21.847312274Z 2024-07-09T16:08:21Z INFO [ip getter] Public IP address is 91.90.126.88 (United States, California, Los Angeles)
gluetun  | 2024-07-09T16:08:22.202995031Z 2024-07-09T16:08:22Z INFO [vpn] You are running on the bleeding edge of latest!
gluetun  | 2024-07-09T16:08:22.203066246Z 2024-07-09T16:08:22Z INFO [port forwarding] starting
gluetun  | 2024-07-09T16:08:52.764591015Z 2024-07-09T16:08:52Z ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: obtaining signature payload: Get "https://10.8.220.1:19999/getSignature?token=<token>": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

[jpcapone]

I am wanting to test this config out as well but I am having a hard time following which env variables to use along with which build of the image. If anyone can spare some time to clarify that for me I would love to test as well.

[qdm12]

grabbed the latest and added variables. I now get this error using OPENVPN_USER and OPENVPN_PASSWORD seems to fix that error but I am still getting this issue:

There is an important bug in the settings reading system, I'm working on a fix first (EDIT: also life got in the way, so will finish this likely tomorrow)

@jpcapone

I am wanting to test this config out as well but I am having a hard time following which env variables to use along with which build of the image. If anyone can spare some time to clarify that for me I would love to test as well.

Thanks for trying to help out debug this 😉 This is the latest image qmcgaw/gluetun. Right now you can use OPENVPN_USER and OPENVPN_PASSWORD to set your PIA credentials for port forwarding if you use wireguard+custom provider.

[jpcapone]

Using these variables and the latest image

- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- OPENVPN_USER=xxxxxxxx
- OPENVPN_PASSWORD=xxxxxxx
- VPN_PORT_FORWARDING=on
- SERVER_NAMES=panama408

I am getting these errors:

2024-07-11T17:50:09Z WARN You are using the old environment variable OPENVPN_USER, please consider changing it to VPN_PORT_FORWARDING_USERNAME
2024-07-11T17:50:09Z WARN You are using the old environment variable OPENVPN_PASSWORD, please consider changing it to VPN_PORT_FORWARDING_PASSWORD
2024-07-11T17:50:09Z INFO [routing] default route found: interface eth0, gateway 172.29.0.1, assigned IP 172.29.0.2 and family v4
2024-07-11T17:50:09Z INFO [routing] local ethernet link found: eth0
2024-07-11T17:50:09Z INFO [routing] local ipnet found: 172.29.0.0/16
2024-07-11T17:50:09Z INFO [firewall] enabling...
2024-07-11T17:50:09Z INFO [firewall] enabled successfully
2024-07-11T17:50:10Z INFO [storage] creating /gluetun/servers.json with 19425 hardcoded servers
2024-07-11T17:50:10Z ERROR VPN settings: provider settings: server selection: Wireguard server selection settings: endpoint IP is not set
2024-07-11T17:50:10Z INFO Shutdown successful

I am gonna keep trying different things but thats where I am at right now.

[xtinct101]

unless you're supplying Gluetun with a wg0 file you will need to setup all the wireguard endpoints.

      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - OPENVPN_USER=xxxxxxxx
      - OPENVPN_PASSWORD=xxxxxxx
      - SERVER_NAMES=panama408
      - VPN_ENDPOINT_IP=xxxx
      - VPN_ENDPOINT_PORT=xxxx
      - WIREGUARD_PUBLIC_KEY=xxxx
      - WIREGUARD_PRIVATE_KEY=xxxx
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER="private internet access"
      - WIREGUARD_ADDRESSES=xxxx

[jpcapone]

Thank you so much. Ok so using the variables below:

VPN_SERVICE_PROVIDER=custom
VPN_TYPE=wireguard
OPENVPN_USER=pxxxx
OPENVPN_PASSWORD=xxxxxxx
SERVER_NAMES=bahamas402
VPN_ENDPOINT_IP=95.181.238.104
VPN_ENDPOINT_PORT=1337
WIREGUARD_PUBLIC_KEY=xxxxxx
WIREGUARD_PRIVATE_KEY=xxxxxx
VPN_PORT_FORWARDING=on
VPN_PORT_FORWARDING_PROVIDER="private internet access"
WIREGUARD_ADDRESSES=xx.xx.xx.xx/32

Now with the settings above I am only unsure about the WIREGUARD_ADDRESSES value In the conf file it appears that only the IP listed for "Address" makes sense and I added the /32 from what I have gathered from other posts.

2024-07-11T21:54:16Z INFO [vpn] starting
2024-07-11T21:54:16Z INFO [firewall] allowing VPN connection...
2024-07-11T21:54:16Z INFO [wireguard] Using available kernelspace implementation
2024-07-11T21:54:16Z INFO [wireguard] Connecting to 95.181.238.104:1337
2024-07-11T21:54:16Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-07-11T21:54:31Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-07-11T21:54:31Z INFO [port forwarding] starting
2024-07-11T21:54:46Z ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching token: Post "https://www.privateinternetaccess.com/api/client/v2/token": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-07-11T21:54:47Z INFO [healthcheck] program has been unhealthy for 26s: restarting VPN
2024-07-11T21:54:47Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-07-11T21:54:47Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-07-11T21:54:47Z INFO [vpn] stopping
2024-07-11T21:54:47Z INFO [vpn] starting
2024-07-11T21:54:47Z INFO [firewall] allowing VPN connection...
2024-07-11T21:54:47Z INFO [wireguard] Using available kernelspace implementation
2024-07-11T21:54:47Z INFO [wireguard] Connecting to 95.181.238.104:1337
2024-07-11T21:54:47Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-07-11T21:54:49Z INFO [dns] downloading DNS over TLS cryptographic files
2024-07-11T21:55:02Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-07-11T21:55:02Z INFO [port forwarding] starting
2024-07-11T21:55:04Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-07-11T21:55:04Z INFO [dns] attempting restart in 1m20s
2024-07-11T21:55:17Z ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching token: Post "https://www.privateinternetaccess.com/api/client/v2/token": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-07-11T21:55:27Z INFO [healthcheck] program has been unhealthy for 31s: restarting VPN
2024-07-11T21:55:27Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-07-11T21:55:27Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-07-11T21:55:27Z INFO [vpn] stopping

The only other thing I think I can do on my side is mount a volume for Gluetun as I currently don't have one. I am open to any other suggestions.

[xtinct101]

I use mine without the /32 or anything. WIREGUARD_ADDRESSES=xx.xx.xx.xx

Also, I would first try disabling the port forwarding to make sure the vpn is working without. Second, 2024-07-11T21:55:02Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context deadline exceeded (Client.Timeout exceeded while awaiting headers) I learnt that this error meant that the VPN isn't working. Where did you get the pia conf file from as I've noticed that some of the servers for pia from gluetun seem outdated and don't necessarily work.

I use this to generate correct wg0 conf files. https://github.com/pia-foss

[jpcapone]

Thanks. I used https://github.com/pia-foss/manual-connections to generate the conf file.

I did remove the /32 and disabled port forwarding by removing the variable and the same error shows up again. Any other ideas?

[xtinct101]

I would just double check your user/pass, public and private keys. If that doesn't work, try a different server. I know for sure, panama works so maybe give that a shot.

[xtinct101]

also, since you're generating the wg0 file, you can feed it directly to gluetun so you dont need to figure out those settings and would just need these ones for testing connectivity.

- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- SERVER_NAMES=panama408
- FIREWALL_OUTBOUND_SUBNETS=192.168.0.0/24

Make sure to map a volume to the wg0 file like this. - xxxx/gluetun/wg0.conf:/gluetun/wireguard/wg0.conf

[jpcapone]

for FIREWALL_OUTBOUND_SUBNETS would that range need to be my LAN or the container network?

[xtinct101]

For me it's the container network.

[jpcapone]

Ok I have mounted the actual wg0.cnf file which was created with the panama server and using the variables below - take note no VPN forwarding

      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - SERVER_NAMES=panama408
      - FIREWALL_OUTBOUND_SUBNETS=172.29.0.0/24

I get the following:

Running version latest built on 2024-07-09T14:47:46.048Z (commit 0501743)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-07-12T00:05:41Z WARN You are using the old environment variable OPENVPN_USER, please consider changing it to VPN_PORT_FORWARDING_USERNAME
2024-07-12T00:05:41Z WARN You are using the old environment variable OPENVPN_PASSWORD, please consider changing it to VPN_PORT_FORWARDING_PASSWORD
2024-07-12T00:05:41Z INFO [routing] default route found: interface eth0, gateway 172.29.0.1, assigned IP 172.29.0.2 and family v4
2024-07-12T00:05:41Z INFO [routing] local ethernet link found: eth0
2024-07-12T00:05:41Z INFO [routing] local ipnet found: 172.29.0.0/16
2024-07-12T00:05:41Z INFO [firewall] enabling...
2024-07-12T00:05:41Z INFO [firewall] enabled successfully
2024-07-12T00:05:41Z INFO [storage] creating /gluetun/servers.json with 19425 hardcoded servers
2024-07-12T00:05:41Z INFO Alpine version: 3.19.2
2024-07-12T00:05:41Z INFO OpenVPN 2.5 version: 2.5.10
2024-07-12T00:05:41Z INFO OpenVPN 2.6 version: 2.6.11
2024-07-12T00:05:41Z INFO Unbound version: 1.20.0
2024-07-12T00:05:41Z INFO IPtables version: v1.8.10
2024-07-12T00:05:41Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: custom
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Target IP address: 91.90.126.91
|   |       ├── Server names: panama408
|   |       └── Wireguard selection settings:
|   |           ├── Endpoint IP address: 91.90.126.91
|   |           ├── Endpoint port: 1337
|   |           └── Server public key: 3SzMcnATWE/EoEhNeZ9r4xa8NZ/u7bDJptE1xFflaBE=
|   └── Wireguard settings:
|       ├── Private key: QP6...nI=
|       ├── Interface addresses:
|       |   └── 10.11.153.88/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1400
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   └── Outbound subnets:
|       └── 172.29.0.0/24
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
└── Version settings:
    └── Enabled: yes
2024-07-12T00:05:41Z INFO [routing] default route found: interface eth0, gateway 172.29.0.1, assigned IP 172.29.0.2 and family v4
2024-07-12T00:05:41Z INFO [routing] adding route for 0.0.0.0/0
2024-07-12T00:05:41Z INFO [firewall] setting allowed subnets...
2024-07-12T00:05:41Z INFO [routing] default route found: interface eth0, gateway 172.29.0.1, assigned IP 172.29.0.2 and family v4
2024-07-12T00:05:41Z INFO [routing] adding route for 172.29.0.0/24
2024-07-12T00:05:41Z INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2024-07-12T00:05:41Z INFO [dns] using plaintext DNS at address 1.1.1.1
2024-07-12T00:05:41Z INFO [http server] http server listening on [::]:8000
2024-07-12T00:05:41Z INFO [healthcheck] listening on 127.0.0.1:9999
2024-07-12T00:05:41Z INFO [firewall] allowing VPN connection...
2024-07-12T00:05:41Z INFO [wireguard] Using available kernelspace implementation
2024-07-12T00:05:41Z INFO [wireguard] Connecting to 91.90.126.91:1337
2024-07-12T00:05:41Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-07-12T00:05:41Z INFO [dns] downloading DNS over TLS cryptographic files
2024-07-12T00:05:51Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024-07-12T00:05:51Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-07-12T00:05:51Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-07-12T00:05:51Z INFO [vpn] stopping
2024-07-12T00:05:51Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context canceled
2024-07-12T00:05:51Z ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/commits": context canceled
2024-07-12T00:05:51Z INFO [vpn] starting
2024-07-12T00:05:51Z INFO [firewall] allowing VPN connection...
2024-07-12T00:05:51Z INFO [wireguard] Using available kernelspace implementation
2024-07-12T00:05:51Z INFO [wireguard] Connecting to 91.90.126.91:1337
2024-07-12T00:05:51Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-07-12T00:05:56Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-07-12T00:05:56Z INFO [dns] attempting restart in 10s

I am gonna keep trying stuff but I would appreciate any suggestions....

[xtinct101]

can you paste you docker compose?

[jpcapone]

Here is the full docker compose

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - SERVER_NAMES=panama408
      - FIREWALL_OUTBOUND_SUBNETS=172.29.0.0/24
      - SHADOWSOCKS=on
      - SHADOWSOCKS_PASSWORD=xxxxx
      - HTTP_CONTROL_SERVER_ADDRESS=:8000
    volumes:
      - /etc/wireguard/wg0.conf:/gluetun/wireguard/wg0.conf
    ports:
      - 8388:8388/tcp
      - 8388:8388/udp
      - 8180:8180
      - 8000:8000
  qbittorrent:
    image: linuxserver/qbittorrent #orig: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent1
    network_mode: service:gluetun # NOTE: network mode while inside the container, you  should still be able to talk to this service from your regular LAN via the host-IP
    environment:
      - PUID=0
      - PGID=0
      - TZ=America/New_York
      - WEBUI_PORT=8180
    volumes:
      - /var/lib/docker/volumes/wireguard/qbittorrent:/config # extra measure inside QB 'bind' to the WG IP you get
      - /media/Share/Complete/qbittorrent:/media/Share/Complete/qbittorrent
    restart: unless-stopped # no | always | on-failure | unless-stopped

[xtinct101]

add and try. I would also turn of shadowsocks for now for testing.

devices:
      - /dev/net/tun:/dev/net/tun

[jpcapone]

I was wondering about that one. I added it and that error disappears but the error remains:

2024-07-12T13:59:22Z INFO [routing] default route found: interface eth0, gateway 172.29.0.1, assigned IP 172.29.0.2 and family v4
2024-07-12T13:59:22Z INFO [routing] adding route for 0.0.0.0/0
2024-07-12T13:59:22Z INFO [firewall] setting allowed subnets...
2024-07-12T13:59:22Z INFO [routing] default route found: interface eth0, gateway 172.29.0.1, assigned IP 172.29.0.2 and family v4
2024-07-12T13:59:22Z INFO [routing] adding route for 172.29.0.0/24
2024-07-12T13:59:22Z INFO [dns] using plaintext DNS at address 1.1.1.1
2024-07-12T13:59:22Z INFO [http server] http server listening on [::]:8000
2024-07-12T13:59:22Z INFO [firewall] allowing VPN connection...
2024-07-12T13:59:22Z INFO [healthcheck] listening on 127.0.0.1:9999
2024-07-12T13:59:22Z INFO [shadowsocks] listening TCP on [::]:8388
2024-07-12T13:59:22Z INFO [shadowsocks] listening UDP on [::]:8388
2024-07-12T13:59:22Z INFO [wireguard] Using available kernelspace implementation
2024-07-12T13:59:22Z INFO [wireguard] Connecting to 91.90.126.40:1337
2024-07-12T13:59:22Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-07-12T13:59:22Z INFO [dns] downloading DNS over TLS cryptographic files
2024-07-12T13:59:32Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024-07-12T13:59:32Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-07-12T13:59:32Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-07-12T13:59:32Z INFO [vpn] stopping
2024-07-12T13:59:32Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context canceled
2024-07-12T13:59:32Z ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/commits": context canceled
2024-07-12T13:59:32Z INFO [vpn] starting
2024-07-12T13:59:32Z INFO [firewall] allowing VPN connection...
2024-07-12T13:59:32Z INFO [wireguard] Using available kernelspace implementation
2024-07-12T13:59:32Z INFO [wireguard] Connecting to 91.90.126.40:1337
2024-07-12T13:59:32Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-07-12T13:59:37Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-07-12T13:59:37Z INFO [dns] attempting restart in 10s
2024-07-12T13:59:44Z INFO [healthcheck] program has been unhealthy for 11s: restarting VPN
2024-07-12T13:59:44Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-07-12T13:59:44Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-07-12T13:59:44Z INFO [vpn] stopping

[jpcapone]

I switched the server to Au Perth and it worked! But when I turned on port forwarding

      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER="private internet access"

I got this error

2024-07-12T15:50:55Z WARN You are using the old environment variable OPENVPN_USER, please consider changing it to VPN_PORT_FORWARDING_USERNAME
2024-07-12T15:50:55Z WARN You are using the old environment variable OPENVPN_PASSWORD, please consider changing it to VPN_PORT_FORWARDING_PASSWORD
2024-07-12T15:50:55Z INFO [routing] default route found: interface eth0, gateway 172.29.0.1, assigned IP 172.29.0.2 and family v4
2024-07-12T15:50:55Z INFO [routing] local ethernet link found: eth0
2024-07-12T15:50:55Z INFO [routing] local ipnet found: 172.29.0.0/16
2024-07-12T15:50:55Z INFO [firewall] enabling...
2024-07-12T15:50:55Z INFO [firewall] enabled successfully
2024-07-12T15:50:55Z INFO [storage] creating /gluetun/servers.json with 19425 hardcoded servers
2024-07-12T15:50:55Z ERROR VPN settings: provider settings: port forwarding: port forwarding username is empty
2024-07-12T15:50:55Z INFO Shutdown successful

I added the variables below:

      - VPN_PORT_FORWARDING_USERNAME=pxxxxxx
      - VPN_PORT_FORWARDING_PASSWORD=xxxxxx

and got the same error. So my current compose file looks like

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - SERVER_NAMES=perth403
      - FIREWALL_OUTBOUND_SUBNETS=172.29.0.0/24
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER="private internet access"
      - VPN_PORT_FORWARDING_USERNAME=xxxxxxxx
      - VPN_PORT_FORWARDING_PASSWORD=xxxxxxxx
      - SHADOWSOCKS=on
      - SHADOWSOCKS_PASSWORD=xxxxxxxx
      - HTTP_CONTROL_SERVER_ADDRESS=:8000
    volumes:
      - /etc/wireguard/wg0.conf:/gluetun/wireguard/wg0.conf
    ports:
      - 8388:8388/tcp
      - 8388:8388/udp
      - 8180:8180
      - 8000:8000
  qbittorrent:
    image: linuxserver/qbittorrent #orig: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent1
    network_mode: service:gluetun # NOTE: network mode while inside the container, you  should still be able to talk to this service from your regular LAN via the host-IP
    environment:
      - PUID=0
      - PGID=0
      - TZ=America/New_York
      - WEBUI_PORT=8180
    volumes:
      - /var/lib/docker/volumes/wireguard/qbittorrent:/config # extra measure inside QB 'bind' to the WG IP you get
      - /media/Share/Complete/qbittorrent:/media/Share/Complete/qbittorrent
    restart: unless-stopped # no | always | on-failure | unless-stopped

[xtinct101]

use these for now as the new ones dont work.

      - OPENVPN_USER=
      - OPENVPN_PASSWORD=

[jpcapone]

Ok I missed your response before I switched back to using the variables instead of the mounted file. either way i got the same result. i got further but it seems to be failing on the port forwarding part

2024-07-12T16:33:44Z INFO [routing] default route found: interface eth0, gateway 172.29.0.1, assigned IP 172.29.0.2 and family v4
2024-07-12T16:33:44Z INFO [routing] adding route for 0.0.0.0/0
2024-07-12T16:33:44Z INFO [firewall] setting allowed subnets...
2024-07-12T16:33:44Z INFO [routing] default route found: interface eth0, gateway 172.29.0.1, assigned IP 172.29.0.2 and family v4
2024-07-12T16:33:44Z INFO [routing] adding route for 172.29.0.0/24
2024-07-12T16:33:44Z INFO [dns] using plaintext DNS at address 1.1.1.1
2024-07-12T16:33:44Z INFO [http server] http server listening on [::]:8000
2024-07-12T16:33:44Z INFO [firewall] allowing VPN connection...
2024-07-12T16:33:44Z INFO [healthcheck] listening on 127.0.0.1:9999
2024-07-12T16:33:44Z INFO [shadowsocks] listening TCP on [::]:8388
2024-07-12T16:33:44Z INFO [shadowsocks] listening UDP on [::]:8388
2024-07-12T16:33:44Z INFO [wireguard] Using available kernelspace implementation
2024-07-12T16:33:44Z INFO [wireguard] Connecting to 179.61.228.3:1337
2024-07-12T16:33:44Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-07-12T16:33:44Z INFO [dns] downloading DNS over TLS cryptographic files
2024-07-12T16:33:45Z INFO [healthcheck] healthy!
2024-07-12T16:33:48Z INFO [dns] downloading hostnames and IP block lists
2024-07-12T16:33:54Z INFO [dns] init module 0: validator
2024-07-12T16:33:54Z INFO [dns] init module 1: iterator
2024-07-12T16:33:54Z INFO [dns] start of service (unbound 1.20.0).
2024-07-12T16:33:55Z INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2024-07-12T16:33:58Z INFO [dns] ready
2024-07-12T16:33:59Z INFO [healthcheck] healthy!
2024-07-12T16:34:00Z INFO [ip getter] Public IP address is 179.61.228.3 (Australia, Western Australia, Perth)
2024-07-12T16:34:02Z INFO [vpn] You are running on the bleeding edge of latest!
2024-07-12T16:34:02Z INFO [port forwarding] starting
2024-07-12T16:34:34Z ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: obtaining signature payload: Get "https://10.2.157.1:19999/getSignature?token=<token>": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

[xtinct101]

Yep and that’s the issue we’re trying to fix. Port forwarding is not working on PIA and wireguard. So now you’re exactly where I am.

[jpcapone]

Hahahahaha! Well thanks for helping me get here. Ill keep my eye on this thread!!

[jpcapone]

Yep and that’s the issue we’re trying to fix. Port forwarding is not working on PIA and wireguard. So now you’re exactly where I am.

Its crazy how you get different results from different servers. I pulled a list of PIA servers that support port forwarding and Panama, Bahamas are both listed but Au Perth is the one that worked for me.

[xtinct101]

I love Gluetun and can't wait to get it sorted but until then you can use https://github.com/thrnz/docker-wireguard-pia to get PIA wireguard with port forwarding.

[qdm12]

@xtinct101 @jpcapone

Two questions:

1. When running Gluetun+Wireguard+Custom(PIA), what do you get from docker exec gluetun traceroute -4 -m 1 -i tun0 privateinternetaccess.com?
2. I've been reviewing the code in https://github.com/thrnz/docker-wireguard-pia and it seems the same as Gluetun's one. For the same Wireguard server, what do you have logged by this line in the form $(date): Using $api_ip as API endpoint (if it shows at all)? I'm curious to find the difference, I would guess this is really just the wrong IP address (which oddly works for OpenVPN but not for Wireguard servers).

There is an important bug in the settings reading system, I'm working on a fix first

This is fixed in 9d50c2353204a6d497b94fbfa96423c8bda5f529 (bug was introduced on the master branch after the last release v3.38.0). Thanks for taking the time to mention it didn't work! Now the new variables will work (VPN_PORT_FORWARDING_USERNAME and VPN_PORT_FORWARDING_PASSWORD).

@xtinct101 Thank you for helping out @jpcapone 👍 However, I marked the few comments as off-topic since this is about bringing PIA port forwarding to life when using Wireguard (custom provider), and it's hard to focus on what's what otherwise. Anyway it seems it's resolved so congrats on that 💯

Also FYI & AFAIK:

For me it's the container network.

The container network Gluetun is part of is automatically allowed traffic with (at least it should!), so you should not have to set this. If it's your LAN, you might need to though.